View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000063fileGeneralpublic2019-02-18 08:462019-02-19 13:17
Reporterspinpx Assigned Tochristos  
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Platformx86_64OSDebianOS Version10
Product Version5.35 
Fixed in Version5.36 
Summary0000063: Stack buffer overflow 2
DescriptionWe build file with `--disable-libseccomp` by clang 4.0.0 and ASAN.
We ran the program with the input we provide without any other arguments.

The bugs exists in file 5.35 and the newest git version commit 5b9408cbbd401c13873bf944d3085785547e9915 .

==1104585==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd001ebb00 at pc 0x00000052240b bp 0x7ffd001eb6c0 sp 0x7ffd001eb6b8
READ of size 1 at 0x7ffd001ebb00 thread T0
    #0 0x52240a in file_printable /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:631:57
    0000001 0x550158 in do_core_note /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:762:8
    0000002 0x54db93 in donote /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:1197:7
    0000003 0x549826 in dophn_exec /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:1689:14
    0000004 0x545e2d in file_tryelf /home/chenpeng/data/FuzzingBench/file/file-git/src/elfclass.h:58:7
    0000005 0x51f29b in file_buffer /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:305:8
    0000006 0x4f5b5d in file_or_fd /home/chenpeng/data/FuzzingBench/file/file-git/src/magic.c:508:6
    0000007 0x4f5cd6 in magic_file /home/chenpeng/data/FuzzingBench/file/file-git/src/magic.c:397:9
    0000008 0x4f3fd5 in process /home/chenpeng/data/FuzzingBench/file/file-git/src/file.c:546:9
    #9 0x4f1c4b in main /home/chenpeng/data/FuzzingBench/file/file-git/src/file.c:416:9
    0000010 0x7fe9e3d9f09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    0000011 0x41d689 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/file+0x41d689)

Address 0x7ffd001ebb00 is located in stack of thread T0 at offset 768 in frame
    #0 0x54fbaf in do_core_note /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:713

  This frame has 2 object(s):
    [32, 544) 'sbuf'
    [608, 768) 'pi' <== Memory access at offset 768 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:631:57 in file_printable
Shadow bytes around the buggy address:
  0x100020035710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020035720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020035730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020035740: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x100020035750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100020035760:[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100020035770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020035780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020035790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000200357a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000200357b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==1104585==ABORTING
Steps To Reproducerun:
# file sbo2
TagsNo tags attached.

Activities

spinpx

2019-02-18 08:46

reporter  

sbo2 (1,192 bytes)    
ELFHi World
��4�̀�X (���������d ������ nŇ�c
����Pw.������4���OFreeBSD�@�����d��������������"����"�����������������������������FreeBSD�@@����d������NetBSD-CORE���"����"�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������̀
sbo2 (1,192 bytes)   

christos

2019-02-18 17:47

manager   ~0003212

Thanks, should be fixed with:

/p/file/cvsroot/file/src/file.h,v <-- file.h
new revision: 1.202; previous revision: 1.201
/p/file/cvsroot/file/src/funcs.c,v <-- funcs.c
new revision: 1.101; previous revision: 1.100
/p/file/cvsroot/file/src/readelf.c,v <-- readelf.c
new revision: 1.161; previous revision: 1.160
/p/file/cvsroot/file/src/softmagic.c,v <-- softmagic.c
new revision: 1.277; previous revision: 1.276

spinpx

2019-02-19 08:12

reporter   ~0003216

CVE-2019-8905

Issue History

Date Modified Username Field Change
2019-02-18 08:46 spinpx New Issue
2019-02-18 08:46 spinpx File Added: sbo2
2019-02-18 17:47 christos Assigned To => christos
2019-02-18 17:47 christos Status new => assigned
2019-02-18 17:47 christos Status assigned => feedback
2019-02-18 17:47 christos Note Added: 0003212
2019-02-19 08:12 spinpx Note Added: 0003216
2019-02-19 08:12 spinpx Status feedback => assigned
2019-02-19 13:17 christos Status assigned => resolved
2019-02-19 13:17 christos Resolution open => fixed
2019-02-19 13:17 christos Fixed in Version => 5.36